From owner-freebsd-security  Fri Feb 23 10:00:02 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id KAA25793
          for security-outgoing; Fri, 23 Feb 1996 10:00:02 -0800 (PST)
Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id JAA25744
          for <freebsd-security@FreeBSD.org>; Fri, 23 Feb 1996 09:59:49 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.4/8.6.10) with SMTP id JAA27883; Fri, 23 Feb 1996 09:57:46 -0800 (PST)
From: Cy Schubert - BCSC Open Systems Group <cschuber@uumail.gov.bc.ca>
Message-Id: <199602231757.JAA27883@passer.osg.gov.bc.ca>
X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol
Reply-to: cschuber@orca.gov.bc.ca
X-Mailer: DXmail
To: Brian Tao <taob@io.org>
cc: cschuber@orca.gov.bc.ca, FREEBSD-SECURITY-L <freebsd-security@FreeBSD.org>
Subject: Re: Informing users of cracked passwords?  
In-reply-to: Your message of "Fri, 23 Feb 96 12:45:42 EST."
             <Pine.BSF.3.91.960223123339.18637M-100000@zip.io.org> 
Date: Fri, 23 Feb 96 09:57:46 -0800
X-Mts: smtp
Sender: owner-security@FreeBSD.org
Precedence: bulk

> On Fri, 23 Feb 1996, Cy Schubert - BCSC Open Systems Group wrote:
> > 
> > One could use TCP/Wrapper to restrict the effectiveness of "r" commands to 
hosts 
> > that you trust thereby negating any entries users have put in their .rhosts
 
> > files of hosts that you don't trust.
> 
>     I have tcpd running here, but it only refuses connects for hosts
> with no reverse DNS or with mismatched forward/reverse records.  Since
> a lot of our users telnet in from elsewhere, I can't maintain a list
> of "trusted" hosts (this is for an ISP, after all).
> 
>     I could disable .rhosts, but that raises another question.  Is it
> better to allow users to rlogin from an untrusted host to your system,
> or to force them to authenticate themselves each time and have
> cleartext passwords flying over the network?
> 
>     It would be so much easier if access was only through modem
> dialup, and we didn't have to rely on NFS or a distributed password
> system, or give shell access, etc., etc.  :-/

You're obviously using TCPD to monitor connections, excluding those connections 
that are caught by the PARANOID mode code.  You could, for example, maintain a 
simple hosts.allow:

ALL EXCEPT rlogind rshd rexecd fingerd: ALL
rlogind rshd rexecd:  .io.org

These two lines restrict rlogin, rsh, and rexec to hosts within the io.org 
domain while allowing connections to all other services from anywhere in the 
world.

> --
> Brian Tao (BT300, taob@io.org)
> Systems Administrator, Internex Online Inc.
> "Though this be madness, yet there is method in't"
> 


Regards,                       Phone:  (604)389-3827
Cy Schubert                    OV/VM:  BCSC02(CSCHUBER)
Open Systems Support          BITNET:  CSCHUBER@BCSC02.BITNET
BC Systems Corp.            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca

		"Quit spooling around, JES do it."